momius -

Businesses bracing for GDPR data deletion requests

Businesses are concerned that data deletion requests under the GDPR will have a significant or even crippling effect, with many unprepared to meet the expected demand

Compliance with the European Union (EU’s) General Data Protection Regulation (GDPR) goes beyond a comprehensive security regime and requires new processes, but many organisations are still unprepared, studies show.

Businesses should not overlook the fact that the GDPR may require fundamental changes to internal business processes, Tim Maiorino, a data protection lawyer at Osborne Clarke, warned at Consumer Identity World Europe 2017 in Paris.

He highlighted the GDPR requirements of implementing the principles of privacy by design and data minimisation, and obtaining explicit and informed consent for all data collection and processing activities.

The right to erasure, or the right to be forgotten, is another consideration in terms of process implementation that has been highlighted by a study commissioned by security firm Clearswift.

The right to be forgotten is also enshrined in planned UK data protection legislation that is expected to be enacted in early 2018 to replace the 1988 Data Protection Act with legislation that mirrors the GDPR in an attempt to achieve the government’s goal of ensuring an unhindered exchange of data between the UK and the EU after Brexit.

Data erasure

According to the Clearwift poll of 600 business decision makers and 1,200 employees from the UK, US, Germany and Australia, 75% of employees are likely to exercise their right to erasure under the GDPR.

The new EU data protection law dictates that an individual can request their data to be removed or deleted when there is no compelling reason for a business to continue processing that data.

Despite the well-established rhetoric on the board historically distancing itself from security, board-level staff were by the most likely to request erasure, with 73% saying they would be extremely or very likely to request the service.

However, the survey revealed that only 34% of businesses have successfully conducted a data erasure request so far.

The survey shows that the marketing/public relations (PR) sector is the least confident in handling erasure request, with only 23% stating that they could handle requests without any impact, whereas 50% of those in human resources (HR) were sure of their abilities to handle this without issue.

But nearly half (48%) of business decision makers said dealing with requests on the level indicated by the employee survey will have serious consequences for their business, slowing down productivity as resource is allocated to dealing with these requests. A small number of business decision makers (5%) even said their organisation would grind to a halt.

Read more about GDPR

Guy Bunker, senior vice-president products at Clearswift, said the right to erasure is an “extremely challenging” aspect of GDPR.

“Organisations need to balance an understanding of the data landscape in the organisation with a wider knowledge of the day-to-day practices in the business, including the possible pitfalls. For example, if businesses do not have a record of data duplication or are unaware of staff copying data, data erasure requests won’t be conducted correctly.”

According to Bunker, only through working with various departments that hold and process critical data to map storage locations and data flows can organisations create the necessary understanding.

“Even when the information goes outside the organisation, this data is still your responsibility, so you need to know who you’ve shared it and through which communication channels so you can effectively execute a data erasure request. Deletion can then be carried out automatically leveraging technology, or manually,” he said.

Differences in attitude

The survey shows that the desire for data erasure is far greater among those in the private sector (78%) compared with those in the public sector (65%).

The difference in attitude towards data security between these two sectors is evidenced further the fact that more than a quarter of public sector employees (28%) are not worried by recent global cyber attacks, compared with just 17% in the private sector.

“Businesses also have to be aware that the right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances, but there are exceptions for certain sectors,” said Bunker.

“Not all data is created equally, and some cannot be ‘forgotten’ on request. For example, you could not contact your local GP and ask for the right to be forgotten, because the practice would not be permitted to delete your information. Similarly, if you have purchased goods you cannot expect the transaction data to be deleted in an arbitrary manner,” he said.

With the GDPR compliance deadline just six months away, the Close Brothers Business Barometer, published in November 2017, shows the UK’s small business community remains unsure about a number of related issues.

Small to medium-sized enterprises (SMEs) are struggling to come to grips with what “personal data” really means, their customers’ new and extended rights, and whether the permissions they currently have to contact customers will meet the requirements of GDPR, the data shows.

Read more on Privacy and data protection